Got this sorted out and working, and thought I should share the two pitfalls which were causing me problems.
First of all, unbelievably, the 500 Internal Server Error was being caused by an extra carriage return between my last HTTP header and the first multipart boundary. Seriously. I had two blank lines in there instead of one. Removed the extra carriage return, and my 500 vanished, being replaced by a more reasonable "(401) Unauthorized - Incorrect signature" error. Secondly, the OAuth documentation seems a bit shaky when it comes to multipart/form-data POSTs. But basically, you do NOT use any of the POST parameters when creating your signature. And this includes all of the OAuth-specific parameters like oauth_consumer_key, oauth_signature_method, etc. Bit of a security hole imho, OAuth implements all this complexity to avoid man-in-the-middle or replay attacks, and as soon as you do a multipart POST it's all negated. So, my signature base was literally: POST&http%3A%2F%2Ftwitter.com%2Faccount%2Fupdate_profile_image.xml& Just the HTTP method and the URL. No parameters. Once I made that change to the signature generation, my request went through fine and my avatar changed. Hope this helps someone! Cheers, David...
